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DETAILED ACTION 

1 . This Office action is in response to the amendment filed on November 26, 2007. 

2. Claims 1-18 and 21-24 are pending. 

3. Claims 1-5, 8-13, 18, and 22-24 have been amended. 

4. Claims 19, 20, and 25 have been cancelled. 

5. The objections to the oath/declaration are withdrawn in view of Applicant's submission 
of the supplemental oath/declaration. 

6. The objection to the drawings is withdrawn in view of AppHcant's amendments to the 
specification. 

7. The objections to the specification are withdrawn in view of Applicant's amendments to 
the specification. However, Applicant's amendments to the specification fail to fully address the 
objection due to the use of trademarks. Accordingly, this objection is maintained and further 
explained belovv. 

8. The objections to Claims 1 , 2, 5, 8-17, and 24 are withdrawn in view of Applicant's 
amendments to the claims. 

9. The 35 U.S.C. § 112, second paragraph, rejections of Claims 5, 13, and 22-25 are 
withdrawn in view of Applicant's amendments to' the claims and/or cancellation of the claims. 

10. The 35 U.S.C. § 101 rejections of Claims 18-25 are withdrawn in view of Applicant's 
amendments to the claims and/or cancellation of the claims. 
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Response to Amendment 
Specification 

1 1 . The use of trademarks, such as >yiNDOWS, has been noted in this application — 
particularly, on page 22, paragraph [0066], Trademarks should be capitalized wherever they 
appear (capitalize each letter OR accompany each trademark with an appropriate designation 
symbol, e.g., or ®) and be accompanied by the generic terminology (use trademarks as 
adjectives modifying a descriptive noun, e.g., "the WINDOWS operating system"). 

Although the use of trademarks is permissible in patent applications, the proprietary 
nature of the marks should be respected and every effort made to prevent their use in any 
manner, which might adversely affect their validity as trademarks. 

Claim Objections 

12. Claim 21 is objected to because of the following informalities: 

• Claim 21 contains a typographical error: Claim 21 should depend on Claim 18, not 
Claim 20. 

Appropriate correction is required. 

Claim Rejections - 35 USC § 102 

13. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of application for patent in the United States. 
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14. Claims 1-8, 10, and 11 are rejected under 35 U.S.C. 102(b) as being anticipated by US 
5,946,486 (hereinafter ^TekowskiOl") 

As per Claim 1, PekowskiOl discloses: 

- from the first software module, issuing a call to a first method that invokes a 
functionality performed by the second software module (see Figure 6: 700 and 7 JO; Column 10: 

22-24, ''Calling application executable program 700 contains a call to a specific entry point of a 
target DLL 710'')\ 

using a third software module having one or more stubs for performing said first 
method that invokes said functionality performed by the second software module, the one or 
more stubs being used to enter the second software module and identify said functionality (see 
Figure 6: 725; Column 10: 25-27, "Call 705 to the entry point to target DLL 710 calls 
corresponding entry point function 720 in shadow DLL 725. " and 31-35, ''Shadow DLL 725 
contains entry point functions 735,^ 740, 745 for each entry point in the target DLL 710. After 
jumping to the common entry code 730, the common entry then jumps to target DLL 710 which 
then returns to exit function 750 in shadow DLL 725. 

verifying that the call originated from a source that is permitted to invoke said 
functionality, the one or more stubs comprising data required during said verification (see 
Column 9: 40-43, ''At the shadow DLL's entry point function, the stack contains the caller's 
return address 600 and the caller's parameter 610 pushed onto the stack by the caller (see FIG. 
5A). Column 10: 27-30, ''Entry point 720 contains programming code which contains the 
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instruction of jumping to common entry code 730 while passing the parameters of entry point 
address, hook value, entry only flag, and first time flag, "j; 

- performing said functionality (see Column 10: 32-35, ''After Jumping to the common 
entry code 730, the common entry then jumps to target DLL 71 0 which then returns to exit 
function 750 in shadow DLL 725/'); and 

- returning to said first software module (see Column 10: 41 and 42, ''Common exit 
function 755 returns to the calling application program executable 700. 

As per Claim 2, the rejection of Claim 1 is incorporated; and PekowskiOl further 

discloses: 

- wherein said first method is performed by the second software module, said first 
method being exposed to the first software module, said first method performing said 
functionality (see Figure 3; Column 4: 67 to Column 5: 1-3, ''... the shadow DLL acts as an 
interceptor of all calls being made to the target DLL, and thus each call to the target DLL and 
return from the target DLL passes through the shadow DLL. 

As per Claim 3, the rejection of Claim 1 is incorporated; and PekowskiOl further 
discloses: 

- wherein the data required during said verification is niixed into instruction streams 
provided by the one or more stubs (see Column 10: 27-30, "Entry point 720 contains 
programming code which contains the instruction of jumping to common entry code 730 while 
passing the parameters of entry point address, hook yalue, entry only flag, and first time flag. 
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As per Claim 4, the rejection of Claim 1 is incorporated; and PekowskiOl further 
discloses: 

wherein said call is made according to a first calling convention, and wherein said 
third software module uses a second calling convention different from said first calling 
convention to invoke said functionality in the second software module, the second calling 
convention comprising a non-standard calling convention that preserves a return address across 
more than one call boundary (see Figure 3; Column 9: 43-47, ''At the shadow DLL's common 
entry function, the stack contains the caller's return address 600, the caller's parameters 610, the 
first time called flag 602, entry only flag 604, hook value 606, and target DLL's entry point 
address 608. " and 52-59, ''At the target DLL's entry point function, the stack contains the 
caller's parameters 610 pushed onto the stack by the caller and the return address 630 of 
element allocated from the return function table replaced by the common entry function (see 
FIG, 5C). The return address table contains the caller's return address 600 and the hook value 
606 for entry point allocated by the common entry function to save caller's return address. 

As per Claim 5, the rejection of Claim 4 is incorporated; and PekowskiOl further 
discloses: 

" wherein said second calling convention causes a program stack to be modified in 
order to cause a next occurring return instruction to cause a return to the location in which a 
return would have occurred if a return had been executed following a call to said third software 
module and prior to a call to said second software module (see Column 9: 52-59, ''At the target 
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DLL's entry point function, the stack contains the caller's parameters 610 pushed onto the stack 
by the caller and the return address 630 of element allocated from the return function table 
replaced by the common entry function (see FIG, 5C). The return address table contains the . 
caller's return address 600 and the hook value 606 for entry point allocated by the common entry 
function to save caller's return address. 

As per Claim 6, the rejection of Claim 3 is incorporated; and PekowskiOl further 
discloses: 

wherein said first calling convention comprises placing a first return address on a 
stack, said first return address representing a location at which execution is to resume after a 
function call is completed, and wherein said second calling convention comprises placing a 
second return address on a stack and placing data at the location represented by said second 
return address (see Column 9: 43-47, "At the shadow DLL's common entry function, the stack 
contains the caller's return address 600, the caller's parameters 610, the first time called flag 
602, entry only flag 604, hook value 606, and target DLL's entry point address 608. " and 52-59, 
''At the target DLL's entry point function, the stack contains the caller's parameters 610 pushed 
onto the stack by the caller and the return address 630 of element allocated from the return 
function table replaced by the common entry function (see FIG. 5C). The return address table 
contains the caller's return address 600 and the hook value 606 for entry point allocated by the 
common entry function to save caller's return address. "J, and wherein the method further 
comprises: 
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- using said second return address to find said data, said data being used for at least one 

of: 

- performing said verifying act; and 

identifying a location to execute in order to perform said functionality (see 
Column 9: 52-59, ''At the target DLLs entry point function, the stack contains the caller's 
parameters 610 pushed onto the stack by the caller and the return address 630 of element 
allocated from the return function table replaced by the common entry function (see FIG. 5C). 
The return address table contains the caller's return address 600 and the hook value 606 for 
entry point allocated by the common entry function to save caller's return address. 

As per Claim 7, the rejection of Claim 1 is incorporated; and PekowskiOl further 
discloses: 

- examining a call stack to identify a return address, and determining that the return 
address is part of a program module that is permitted, according to a standard or rule, to invoke 
said functionality (see Column 9: 40-43, ''At the shadow DLL's entry point function, the stack 
contains the caller's return address 600 and the caller's parameter 610 pushed onto the stack by 
the caller (see FIG, 5A). 

As per Claim 8, the rejection of Claim 7 is incorporated; and PekowskiOl further 
discloses: 

- determining that said return address is from a location or range of locations within 
said first software module from which invocation of said functionality is permitted to originate 
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(see Column 9: 40-43, ''At the shadow DLL's entry point function, the stack contains the caller's 
return address 600 and the caller's parameter 610 pushed onto the stack by the caller (see FIG. 

As per Claim 10, the rejection of Claim 1 is incorporated; and PekowskiOl further 
discloses: 

- wherein said first software module is, or is part of, an application program (see 
Figure 3: J 50). 

As per Claim 11, the rejection of Claim 1 is incorporated; and PekowskiOl further 
discloses: . 

wherein said second software module comprises a dynamic-link library (see Figure 3: 

160). 

Claim Rejections - 35 USC §103 

15. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 

such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

16. Claims 9, 12, 13, 16, and 17 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over PekowskiOl in view of US 6,880,149 (hereinafter "Cronce") 
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As per Claim 9, the rejection of Claim 1 is incorporated; however, PekowskiOl does not 
disclose: 

- verifying that said first software module, or a portion thereof, has not been modified 
relative to a previously-known state, 

Cronce discloses: 

- verifying that said first software module, or a portion thereof, has not been modified 
relative to a previously-known state (see Column 2: 3-14, ''The resulting executable code is 
delivered as a protected, software application that generates a new checksum at runtime and 
compares it with the computed checksum, and determines that the software program has been 
modified if the checksums fail to match. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to incorporate the teaching of Cronce into the teaching of PekowskiOl to 
include verifying that said first software module, or a portion thereof, has not been modified 
relative to a previously-known state. The modification would be obvious because one of ordinary 
skill in the art would be motivated to validate code base integrity (see Cronce - Column 2: 15- 
17), 

As per Claim 12, PekowskiOl discloses: 

- examining a call stack of a process in which said first program module executes to 
identify a return address in which control of the process will return upon completion of a call to 
said first program module (see Column 9: 52-59, ''At the target DLL's entry point function, the 
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stack contains the caller's parameters 610 pushed onto the stack by the caller and the return 
address 630 of element allocated from the return function table replaced by the common entry 
function (see FIG. 3C). The return address table contains the caller's return address 600 and the 
. hook value 606 for entry point allocated by the common entry function to save caller's return 
address. *')\ 

determining that said return address is located within a second program module that is 
permitted to call said first program module (see Column 9: 52-59, ''At the target DLL's entry 
point function, the stack contains the caller's parameters 6] 0 pushed onto the stack by the caller 
and the return address 630 of element allocated from the return function table replaced by the 
common entry function (see FIG. 5C/. The return address table contains the caller's return 
address 600 and the hook value 606 for entry point allocated by the common entry function to 
save caller's return address. 'V; and 

based on the result of said determining act, permitting execution of said first program 
module to proceed (see Column 10: 22-24, ''Calling application executable program 700 
contains a call to a specific entry point of a target DLL 710. • 
However, PekowskiOl does not disclose: 

said determining comprising checking a datum that represents a calling code used by 
the second program module, the datum being derived from a portion or the entirety of the second 
program module, 

Cronce discloses: 

said determining comprising checking a datum that represents a calling code used by 
the second program module, the datum being derived from a portion or the entirety of the second 
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program module (see Column 2: 3-14, ''The resulting executable code is delivered as a protected 
softw^are application that generates a new checksum at runtime and compares it with the 
computed checksum, and determines that the software program has been modified if the 
checksums fail to match. Column 3: 19-21, 'If the checksums compare, then the code is not 
changed, and execution begins of the main application code 100, 

Therefore, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to incorporate the teaching of Cronce into the teaching of PekowskiOl to 
include said determining comprising checking a datum that represents a calling code used by the 
second program module, the datum being derived from a portion or the entirety of the second 
program module. The modification would be obvious because one of ordinary skill in the art 
would be motivated to validate code base integrity (see Cronce - Column 2: 15-1 7), 

As per Claim 13, the rejection of Claim 12 is incorporated; however, PekowskiOl does 
not disclose: 

- determining that said second program module, or a portion thereof, has not been 
modified relative to a previously-known state of said second program module, wherein said act 
of permitting execution of said first program module to proceed is further based on the 
determination as to whether said second program module has been modified. 

Cronce discloses: 

- determining that said second program module, or a portion thereof, has not been 
modified relative to a previously-known state of said second program module, wherein said act 
of permitting execution of said first program module to proceed is further based on the 
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determination as to whether said second program module has been modified (see Column 2: 3- 
14, ''The resulting executable code is delivered as a protected software application that 
generates a new checksum at runtime and compares it with the computed checksum, and 
determines that the softM^are program has been modified if the checksums fail to match. 
Column 3: 19-21, 'If the checksums compare, then the code is not changed, and execution 
begins of the main application code 100. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to incorporate the teaching of Cronce into the teaching of PekowskiOl to 
include determining that said second program module, or a portion thereof, has not been 
modified relative to a previously-known state of said second program module, wherein said act 
of permitting execution of said first program module to proceed is further based on the 
determination as to whether said second program module has been modified. The modification 
would be obvious because one of ordinary skill in the art would be motivated to validate code 
base integrity (see Cronce - Column 2: 15-1 7). 

As per Claim 16, the rejection of Claim 12 is incorporated; and PekowskiOl further 
discloses: 

- wherein said first program module is called by a third program module, said third 
program module having a callable method exposed to said second program module, said callable 
method causing said first program module to be invoked and passing said return address to said 
first program module at the time that said first program module is invoked (see Figure 3; 
Column 4: 67 to Column 5: 1-3, "... the shadow DLL acts as an interceptor of all calls being 
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made to the target DLL, and thus each call to the target DLL and return from the target DLL 
passes through the shadow DLL. "). 

As per Claim 17, the rejection of Claim 16 is incorporated; and PekowskiOl further 
discloses: 

- wherein said first program module adjusts the content of said call stack to reflect that 
said first program module will return to said return address upon completion of execution of said 
call to said first program module, said call stack reflecting, in the absence of the adjustment, that 
said first program module will return to an address other than said return address (see Column 9: 
52-39, ''At the target DLL's entry point function, the stack contains the caller's parameters 610 
pushed onto the stack by the caller and the return address 630 of element allocated from the, 
return function table replaced by the common entry function (see FIG. 5C). The return address 
table contains the caller's return address 600 and the hook value 606 for entry point allocated by 
the common entry function to save caller's return address. 

.17. Claims 14 and 15 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
PekowskiOl in view of Cronce as applied to Claim 12 above, and further in view of US 
6,226,618 (hereinafter "Downs"). 



As per Claim 14, the rejection of Claim 12 is incorporated; however, PekowskiOl and 

Cronce do not disclose: 
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- wherein said first program module includes logic that resists misuse and/or tampering 
with said first program module, and wherein said determining act is performed by said first 
program module. 

Downs discloses: 

- wherein said first program module includes logic that resists misuse and/or tampering 
with said first program module, and wherein said determining act is performed by said first 
program module (see Column 80: 60-64, "IBM's tamper-resistant software made it difficult to 

circumvent these copy protection mechanisms. This is a very typical application for tamper- 
resistant software: the software is used to enforce rules on the usage of some protected type of 
Content J 13. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to incorporate the teaching of Downs into the teaching of PekowskiOl to 
include wherein said first program module includes logic that, resists misuse and/or tampering 
with said first program module, and wherein said determining act is performed by said first 
program module. The modification would be obvious because one of ordinary skill in the art 
would be motivated to deter unauthorized entry into a computer software application by a hacker 
(see DoMms - Column 80: 41-43). 

As per Claim 15, the rejection of Claim 12 is incorporated; however, PekowskiOl and 
Cronce do not disclose: 
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- wherein said first program module comprises cryptographic functionality that stores 
and obscures a decryption key and that uses said decryption key to decrypt content, or uses said 
decryption key as part of a process of decrypting content. 

Downs discloses: 

wherein said first program module comprises cryptographic functionality that stores 
and obscures a decryption key and that uses said decryption key to decrypt content, or uses said 
decryption key as part of a process of decrypting content (see Column 10: 61r65, ''Once these 
verifications are satisfied, the Clearinghouse(s) 105 sends the decryption key for the Content 113 
to the requesting End-User (s) packed in a License SC. The. key is encrypted in a manner so that 
only the authorized user can retrieve it. '7, 

Therefore, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to incorporate the teaching of Downs into the teaching of PekowskiOl to 
include wherein said first program module comprises cryptographic functionality that stores and 
obscures a decryption key and that uses said decryption key to decrypt content, or uses said 
decryption key as part of a process of decrypting content. The modification would be obvious 
because one of ordinary skill in the art would be motivated to allow only the authorized user to 
have access to the secured content (see Downs - Column 10: 41-43), 

18. Claims 18 and 21-23 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
PekowskiOl in view of Cronce and US 6,003,095 (hereinafter "Pekowski02") 



As per Claim 18, PekowskiOl discloses: 
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- a function that is performable on behalf of a calling entity (see Column 10: 22-24, 
''Calling application executable program 700 contains a call to a specific entry point of a target 
DLL710/')\ 

logic that verifies an identity of the calling entity as a condition for performing said 
function, said logic consulting a call stack in order to identify said calling entity and determining 
said identity based on a return address on said call stack, said return address representing a - 
location of an instruction to be executed when the program module completes execution (see 
Column 9: 40-43, ''At the shadow DLL's entry point function, the stack contains the caller's 
return address 600 and the caller's parameter 610 pushed onto the stack by the caller (see FIG, 
5/1/ 'V; and 

- wherein said function is not exposed to said calling entity, and wherein said function 
is exposed to an intermediate entity that is callable by said calling entity, said intermediate entity 
calling upon the program module to perform said function on behalf of said calling entity (see 
Column 10: 25-27, ''Call 705 to the entry point to target DLL 710 calls corresponding entry 
point function 720 in shadow DLL 725. " and 31-35, ''Shadow DLL 725 contains entry point 
functions 735, 740, 745 for each entry point in the target DLL 710. After jumping to the common 
entry code 730, the common entry then jumps to target DLL 710 which then returns to exit 
function 750 in shadow DLL 725, 

However, PekowskiOl does not disclose: 

- said logic checking a datum that represents a calling code used by the calling entity, 
the datum being derived from a portion or the entirety of the calling entity; and 
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wherein the program module upon completing said function bypasses the 
intermediate entity and returns to the calling entity's return address. 
Cronce discloses: 

- said logic checking a datum that represents a calling code used by the calling entity, 
the datum being derived from a portion or the entirety of the calling entity (see Column 2: 3-14, 
'The resulting executable code is delivered as a protected software application that generates a 
new checksum at runtime and compares it with the computed checksum, and determines that the 
software program has been modified if the checksums fail to match Column 3: 19-21, ''If the 
checksums compare, then the code is not changed, and execution begins of the main application 
code 100. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to incorporate the teaching of Cronce into the teaching of PekowskiOl to 
include said logic checking a datum that represents a calling code used by the calling entity, the 
datum being derived from a portion or the entirety of the calling entity. The modification would 
be obvious because one of ordinary skill in the art would be motivated to validate code base 
integrity (see Cronce - Column 2: 15-1 7), 

Pekowski02 discloses: 

- wherein the program module upon completing said function bypasses the 
intermediate entity and returns to the calling entity's return address (see Column 7: 19-24, 'The 
efficiency comes from skipping the demand load code on the return path of the call. Because the 
call appears to the target DLL as if it came from the original DLL, the return from the call goes 
directly to the original caller's code, skipping the demand load code in between. 
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Therefore, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to incorporate the teaching of Pekowski02 into the teaching of PekowskiOl 
to include wherein the program module upon completing said function bypasses the intermediate 
entity and returns to the calling entity's return address. The modification would be obvious 
because one of ordinary skill in the art would be motivated to efficiently return the call (see 
PekowskiOl - Column 7: 19-24), 

As per Claim 21, the rejection of Claim 18 is incorporated; and PekowskiOl further 
discloses: 

wherein said calling entity calls said intermediate entity using a first calling 
convention, and wherein said intermediate entity calls the program module using a second 
calling convention different from said first calling convention (see Column 9: 43-47, ''At the 
shadow DLL's common entry function, the stack contains the caller's return address 600, the 
caller's parameters 610, the first time called flag 602, entry only flag 604, hook value 606, and 
target DLL's entry point address 608, " and 52-59, ''At the target DLL's entry point fidnction, the 
stack contains the caller's parameters 610 pushed onto the stack by the caller and the return 
address 630 of element allocated from the return function table replaced by the common entry 
function (see FIG. 5C). The return address table contains the caller's return address 600 and the 
hook value 606 for entry point allocated by the common entry function to save caller's return 
address. 
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As per Claim 22, the rejection of Claim 21 is incorporated; and PekowskiOl further 
discloses: 

wherein said calling entity calls said intermediate entity by calling a function in said 
intermediate entity and placing a first return address on said call stack, and wherein said 
intermediate entity calls the program module by calling or jumping to a location in said program 
module with one or more parameters including said first return address, wherein the program 
module verifies that said first return address is located within a calling entity that is allowed to 
call the program module, and wherein the program module adjusts said call stack so that a return 
address to be followed upon a next return instruction is equal to said first return address (see 
Column 9: 43-47, ''At the shadow DLL's common entry function, the stack contains the caller's 
return address 600, the caller's parameters 610, the first time called flag 602, entry only flag 
604, hook value 606, and target DLL's entry point address 608. 

As per Claim 23, the rejection of Claim 21 is incorporated; and PekowskiOl further 
discloses: 

wherein said first calling convention comprises placing a return address on said call 
stack, and wherein said second calling convention comprises placing a second return address on 
said call stack and placing data at the location represented by said second return address, said 
second return address being used to find said data, said data being used to perform at least one 
of: verification of the identity of the calling entity; and identification of a location at which said 
function is located (see Column 9: 52-59, ''At the target DLL's entry point function, the stack 
contains the caller's parameters 610 pushed onto the stack by the caller and the return address 
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630 of element allocated from the return function table replaced by the common entry function 
(see FIG. 5C). The return address table contains the caller 's return address 600 and the hook 
value 606 for entry point allocated by the common entry function to save caller's return 
address. 

19. Claim 2.4 is rejected under 35 U.S.C. 103(a) as being unpatentable over PekowskiOl in 
view of Pekowski02. 

As per Claim 24, PekowskiOl discloses: 

- receiving a first call or first jump from a first entity, there being a call stack which, at 
the time of said first call or first jump, has a state in which a return address to be executed upon a 
next return instruction is equal to a first value (see Figure 3; Column 4: 67 to Column 5: 1-3, "... 
the shadow DLL acts as an interceptor of all calls being made to the target DLL, and thus each 
call to the target DLL and return from the target DLL passes through the shadow DLL. 
Column 9: 43-47, ''At the shadow DLL's common entry function, the stack contains the caller's 
return address 600, the caller's parameters 610, the first time called flag 602, entry only flag 
604, hook value 606, and target DLL's entry point address 608. ")\ and 

- issuing a second call or a second jump to a second entity, the second call or second 
jump being parameterized by one or more values including said first value, said second entity 
having access to a second value and using said second value to verify which return address was 
applicable at the time that said first call or said first jump was made, said second entity adjusting 
said call stack to set the return address equal to the first value (see Figure 3; Column 9: 52-59, 
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"At the target DLL's entry point function, the stack contains the caller's parameters 610 pushed 
onto the stack by the caller and the return address 630 of element allocated from the return 
function table replaced by the common entry function (see FIG, 5C), The return address table 
contains the caller's return address 600 and the hook value 606 for entry point allocated by the 
common entry function to save caller's return address. 
However, PekowskiOl does not disclose: 

- wherein said second entity returns directly to said first entity without returning to an 
intermediate entity that received said first call or said first jump. 

Pekowski02 discloses: 

wherein said second entity returns directly to said first entity without returning to an 
intermediate entity that received said first call or said first jump (see Column 7: 19-24, 'The 
efficiency comes from skipping the demand load code on the return path of the call Because the 
call appears to the target DLL as if it came from the original DLL, the return from the call goes 
directly to the original caller's code, skipping the demand load code in between. . 

Therefore, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to incorporate the teaching of PekowskiQ2 into the teaching of PekowskiOl 
to include wherein said second entity returns directly to said first entity without returning to an 
intermediate entity that received said first call or said first jump. The modification would be 
obvious because one of ordinary skill in the art would be motivated to efficiently return the call 
(see Pekowski02 - Column 7: 19-24), 
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Response to Arguments 
20. Applicant's arguments with respect to Claims 12 and 1 8 have been considered, but are 
moot in view of the new ground(s) of rejection. 

In the Remarks^ Applicant argues: 

a) The cited Pekowski reference fails to teach or suggest the above recited method including 
a third software module (i.e., module 502 shown in FIG. 5) having one or more stubs for 
performing the first method that invokes the functionality performed by the second software 
module. The one or more stubs are used to enter the second software module and identify the 
functionality. The one or more stubs can, for example, be code segments which are callable by 
the first software module. The one or more stubs comprise data required during the verification 
by the second soft ware module. Unlike that which is claimed in claim 1, the cited Pekowski 
reference teaches generating a shadow DLL which intercepts calls from a calling application in 
order to trace events occurring upon entries or exits from the DLL. This is accomplished by 
renaming the target DLL and naming the shadow DLL using the target's name. This is much 
different from what is claimed in claim 1 wherein one or more stubs in a third software module 
are used to invoke the functionality of the second software module. In the illustrative example 
shown in Fig. 5 the second software module would be the "Blackbox" and the third software 
module would be the DRM API having the blackbox stubs. 



Examiner's response: 
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a) Examiner disagrees. PekowskiOl clearly discloses ''a third software module having one 
or more stubs for performing said first method that invokes said functionality performed by the 
second software module, the one or more stubs being used to enter the second software module 
and identify said functionality" (see Figure 6: 725; Column JO: 25-27, ''Call 705 to the entry 
point to target DLL 710 calls corresponding entry point function 720 in shadow DLL 725. land 
31-35, "Shadow DLL 725 contains entry point functions 735, 740, 745 for each entry point in the 
target DLL 710. After jumping to the common entry code 730, the common entry then jumps to 
target DLL 710 which then returns to exit function 750 in shadow DLL 725. Note that the 
shadow DLL contains entry point functions (one or more stubs) for each entry point in the target 
DLL, Thus, the entry point function is used to jump to the common entry point function, which 
then jumps to the target DLL, 

In response to Applicant's argument that the references fail to show certain features of 
Applicant's invention, it is noted that the features upon which Applicant relies {i.e., the one or 
more stubs can, for example, be code segments which are callable by the first software module 
and the one or more stubs comprise data required during the verification by the second software 
module) are not recited in the rejected claim(s). Although the claims are interpreted in light of 
the specification, limitations from the specification are not read into the claims. See In re Van 
Geuns, 988 F.2d 1 181, 26 USPQ2d 1057 (Fed. Cir. 1993). The claim language does not require 
these particular features related to the stubs. Applicant is reminded that in order for such 
limitations to be considered, the claim language requires to specifically recite such limitations in 
the claims, otherwise broadest reasonable interpretations of the broadly claimed limitations are 
deemed to be proper. 
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In the Remarks, Applicant argues: 

b) In particular dependent claim 3 now recites "wherein the data required during said 
verification is mixed into instruction streams provided by the one or more stubs." Support for 
this amendment can be found in paragraph [0036], The cited Pekowski reference fails to teach a 
method wherein data required for verification is mixed into instruction steams provided by one 
or more stubs as recited. 

* 

Examiner's response: 

b) Examiner disagrees. PekowskiOl clearly discloses "wherein the data required during said 
verification is mixed into instruction streams provided by the one or more stubs" (see Column 
10: 27-30y ' Entry point 720 contains programming code which contains the instruction of 
jumping to common entry code 730 while passing the parameters of entry point address, hook 
value, entry only flag, and first time flag, 'y. Thus, the entry point function contains code and the 
parameters necessary for jumping to the common entry function. Note that the shadow DLL's 
common entry function's stack already contains the caller's return address for verification. 

Furthermore, Applicant's arguments fail to comply with 37 CFR LI 1 1(b) because they 
amount to a general allegation that the claims define a patentable invention without specifically 
pointing out how the language of the claims patentably distinguishes them from the references. 



In the Remarks^ Applicant argues: 
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c) With regard to dependent claim 4 it has been amended to further recite in part, "the 
second calling convention comprising a non-standard calling convention that preserves a return 
address across more than one call boundary." Support for this amendment can be found in 
paragraph [0045]. The cited Pekowski reference fails to teach or suggest such a non-standard. 
caUing convention as now recited. 

Examiner's response: 

c) Examiner disagrees. PekowskiOl clearly discloses "the second calling convention 
comprising a non-standard calling convention that preserves a return address across more than 
one call boundary" (see Figure 3; Column 9: 43-47, ''At the shadow DLL's common entry 
function, the stack contains the caller's return address 600, the caller's parameters 610, the first 
time called flag 602, entry only flag 604, hook value 606, and target DLL's entry point address 
608. " and 52-59, ''At the target DLL's entry point fiinction, the stack contains the caller's 
parameters 610 pushed onto the stack by the caller and the return address 630 of element 
allocated from the return function table replaced by the common entry function (see FIG, 5C). 
The return address table contains the caller's return address 600 and the hook value 606 for 
entry point allocated by the common entry function to save caller's return address, Note that 
the target DLL's entry point function's stack contains the caller's return address. Thus, the 
caller's return address is preserved from the calling application program to the shadow DLL and 
from the shadow DLL to the target DLL. 
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Furthermore, Applicant's arguments fail to comply with 37 CFR 1.1 1 1(b) because they 
amount to a general allegation that the claims define a patentable invention without specifically 
pointing out how the language of the claims patentably distinguishes them from the references. 

Conclusion 

2 1 , The prior art made of record and not relied upon is considered pertinent to Applicant's 
disclosure. 

Any inquiry concerning this communication or earlier communications from the 
Examiner should be directed to Qing Chen whose telephone number is 571-270-1071. The 
Examiner can normally be reached on Monday through Thursday from 7:30 AM to 4:00 PM. 
The Examiner can also be reached on alternate Fridays. 

If attempts to reach the Examiner by telephone are unsuccessful, the Examiner's 
supervisor, Wei Zhen, can be reached on 571-272-3708. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Any inquiry of a general nature or relating to the status of this appHcation or proceeding 
should be directed to the TC 2100 Group receptionist whose telephone number is 571-272-2100. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is'available through Private PAIR only. For more information about the PAIR 
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system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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